X509 cert auth (#23)

sky-sharma · web-flow · commit 93756770dc1a · 2023-09-13T06:39:05.000-05:00
* Added x509keyPair param to Device constructor

* New def authorize_x509(...)

* Modified def post for x509keyPair

* Added mTLS auth info. to README

* Significantly simplified mTLS auth block
diff --git a/README.md b/README.md
@@ -208,13 +208,22 @@ service_user = mySystem.ServiceUser(email, token)
 ---
 ### Devices
 Another common entity that may interact with your system is a **device**. 
-Similar to users, devices must be authenticated before you can use them. 
-To authenticate a device, you need its _active key_. 
+Similar to users, devices must be authenticated before you can use them.
+
+One way to authenticate a device is using its _active key_. 
 
 > Definition: `System.Device(name, key)`  
 > Returns: Device object.
 
 
+Another way to authenticate a device is using mTLS authentication which requires passing an _x509keyPair_ when creating the Device object. 
+
+> Definition: `System.Device(name, x509keyPair={"certfile": "/path/to/your/cert.pem", "keyfile": "/path/to/your.key"})`
+> Returns: Device object.
+
+mTLS authentication is achieved by a POST request being sent to API `{platformURL}:444/api/v/4/devices/mtls/auth` with the provided x509keyPair being loaded into the SSL context's cert chain. This is handled by the SDK.
+
+
 Previously authenticated devices can also connected to your system without being re-authenticated as long as they provide a valid authToken:
 
 > Definition: `System.Device(name, authToken="<valid authToken>")`
diff --git a/clearblade/ClearBladeCore.py b/clearblade/ClearBladeCore.py
@@ -77,8 +77,8 @@ def getDevice(self, authenticatedUser, name):
         dev = Devices.getDevice(self, authenticatedUser, name)
         return dev
 
-    def Device(self, name, key="", authToken=""):
-        dev = Devices.Device(system=self, name=name, key=key, authToken=authToken)
+    def Device(self, name, key="", authToken="", x509keyPair=None):
+        dev = Devices.Device(system=self, name=name, key=key, authToken=authToken, x509keyPair=x509keyPair)
         # check if dev in self.devices?
         return dev
 
diff --git a/clearblade/Devices.py b/clearblade/Devices.py
@@ -24,10 +24,11 @@ def getDevice(system, authenticatedUser, name):
 
 
 class Device:
-    def __init__(self, system, name, key="", authToken=""):
+    def __init__(self, system, name, key="", authToken="", x509keyPair=None):
         self.name = name
         self.systemKey = system.systemKey
         self.url = system.url + "/api/v/2/devices/" + self.systemKey
+        self.mtls_auth_url = system.url + ":444/api/v/4/devices/mtls/auth"
         self.headers = {
             "Content-Type": "application/json",
             "Accept": "application/json"
@@ -41,8 +42,10 @@ def __init__(self, system, name, key="", authToken=""):
             self.token = authToken
             self.headers["ClearBlade-DeviceToken"] = self.token
             cbLogs.info("Successfully set!")
+        elif x509keyPair != None:
+            self.authorize_x509(x509keyPair)
         else:
-            cbLogs.error("You must provide an active key or auth token when creating the device", name)
+            cbLogs.error("You must provide an active key, auth token or x509 key pair when creating or accessing the device", name)
             exit(-1)
 
     def authorize(self, key):
@@ -56,6 +59,17 @@ def authorize(self, key):
         self.headers["ClearBlade-DeviceToken"] = self.token
         cbLogs.info("Successfully authenticated!")
 
+    def authorize_x509(self, x509keyPair):
+        cbLogs.info("Authenticating", self.name, "as a device using x509 key pair...")
+        credentials = {
+            "system_key": self.systemKey,
+            "name": self.name
+        }
+        resp = restcall.post(self.mtls_auth_url, headers=self.headers, data=credentials, sslVerify=self.system.sslVerify, x509keyPair=x509keyPair)
+        self.token = str(resp["deviceToken"])
+        self.headers["ClearBlade-DeviceToken"] = self.token
+        cbLogs.info("Successfully authenticated!")
+
     def update(self, info):
         payload = info
         try:
diff --git a/clearblade/restcall.py b/clearblade/restcall.py
@@ -1,5 +1,6 @@
 from __future__ import print_function, absolute_import
 import json
+import ssl
 import requests
 from requests.exceptions import *
 from . import cbLogs
@@ -46,19 +47,28 @@ def get(url, headers={}, params={}, silent=False, sslVerify=True):
     return resp
 
 
-def post(url, headers={}, data={}, silent=False, sslVerify=True):
+def post(url, headers={}, data={}, silent=False, sslVerify=True, x509keyPair=None):
     # make sure our data is valid json
     try:
         json.loads(data)
     except TypeError:
         data = json.dumps(data)
 
-    # try our request
-    try:
-        resp = requests.post(url, headers=headers, data=data, verify=sslVerify)
-    except ConnectionError:
-        cbLogs.error("Connection error. Check that", url, "is up and accepting requests.")
-        exit(-1)
+    if x509keyPair == None:
+        # try our request
+        try:
+            resp = requests.post(url, headers=headers, data=data, verify=sslVerify)
+        except ConnectionError:
+            cbLogs.error("Connection error. Check that", url, "is up and accepting requests.")
+            exit(-1)
+    else:
+        try:
+            # mTLS auth so load cert
+            resp = requests.post(url, headers=headers, data=data, verify=sslVerify, cert=(x509keyPair["certfile"], x509keyPair["keyfile"]))
+        except ConnectionError:
+            cbLogs.error("Connection error. Check that", url, "is up and accepting requests.")
+            exit(-1)
+
 
     # check for errors
     if resp.status_code == 200:
